Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
title: About using Copilot CLI in GitHub Actions
shortTitle: Copilot CLI in Actions
allowTitleToDifferFromFilename: true
intro: 'You can run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow using either a {% data variables.product.pat_generic %} or the built-in `GITHUB_TOKEN`. The two approaches differ in how {% data variables.product.prodname_ai_credits_short %} are billed and what setup is required.'
versions:
feature: copilot
contentType: concepts
category:
- Learn about Copilot CLI # Copilot CLI bespoke page
docsTeamMetrics:
- copilot-cli
---

## Authentication and billing options

When you run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow, you can authenticate using either a {% data variables.product.pat_generic %} (PAT) or the built-in `GITHUB_TOKEN`.

* **Using a PAT**: The workflow authenticates as the user who created the PAT. {% data variables.product.prodname_ai_credits_short %} are drawn from that user's {% data variables.product.prodname_copilot_short %} seat entitlements, and their license determines which models and features are available. This works in any repository but introduces operational and security risks for organizations running automations at scale.
* **Using `GITHUB_TOKEN`**: The workflow authenticates as an installation, with no individual user associated with the request. How {% data variables.product.prodname_ai_credits_short %} are billed depends on where the workflow runs:

* In a **personally-owned repository**, usage is billed to the repository owner's {% data variables.product.prodname_copilot_short %} seat.
* In an **organization-owned repository**, usage is metered directly to the organization. This requires the **"Allow use of {% data variables.copilot.copilot_cli_short %} billed to the organization"** policy to be enabled by an organization owner.

Using `GITHUB_TOKEN` in an organization-owned repository is the recommended approach for automations. Each workflow run receives a short-lived, scoped token generated by {% data variables.product.prodname_actions %}, so no long-lived credentials need to be stored or rotated.

Note that this policy is separate from your {% data variables.product.prodname_copilot_short %} licensing setup. Enterprises that issue licenses through a dedicated organization and do their work in other organizations do not need {% data variables.product.prodname_copilot_short %} licensing enabled in the working organization, only the policy.

## Controlling cost

When usage is billed directly to the organization, user-level {% data variables.product.prodname_copilot_short %} budgets are not considered, because the cost is not attributed to any individual user. To manage spend for {% data variables.copilot.copilot_cli_short %} usage billed this way, you can:

* Configure cost centers for the relevant organizations. Cost centers allow cost attribution to groups of organizations, and budgets can be applied to cost centers. See [AUTOTITLE](/billing/concepts/cost-centers).
* Monitor {% data variables.product.prodname_copilot_short %} usage from your organization's billing and usage dashboards to track consumption over time.

## Security considerations

Running {% data variables.copilot.copilot_cli_short %} in automated workflows introduces security risks that are independent of which authentication method you use. Because {% data variables.copilot.copilot_cli_short %} is an agentic tool that can read and modify repository contents, a compromised or misconfigured workflow can cause unintended changes.

To reduce risk:

* Use [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking {% data variables.copilot.copilot_cli_short %} directly in `run` steps. Agentic Workflows are designed with guardrails for automated use.
* Follow the principle of least privilege when setting workflow permissions.
* Review workflow triggers carefully. Workflows that run on pull request events from forks are at higher risk of prompt injection.

## Next steps

To learn how to set up {% data variables.copilot.copilot_cli_short %} with `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow, see [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions).
1 change: 1 addition & 0 deletions content/copilot/concepts/agents/copilot-cli/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ versions:
children:
- /about-copilot-cli
- /comparing-cli-features
- /copilot-cli-in-github-actions
- /cancel-and-roll-back
- /about-remote-control
- /about-custom-agents
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,18 @@ docsTeamMetrics:

You can run {% data variables.copilot.copilot_cli %} in a {% data variables.product.prodname_actions %} workflow to automate AI-powered tasks as part of your CI/CD process. For example, you can summarize recent repository activity, generate reports, or scaffold project content. {% data variables.copilot.copilot_cli %} runs on the Actions runner like any other CLI tool, so you can install it during a job and invoke it from workflow steps.

## Recommended approach: {% data variables.product.github %} Agentic Workflows

For most automation use cases, we recommend using [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking `copilot` directly in workflow steps. Agentic workflows use `GITHUB_TOKEN` authentication by default and include additional guardrails suited for automated environments.

For setup instructions, see [Quick Start](https://github.github.com/gh-aw/setup/quick-start/) in the {% data variables.product.github %} Agentic Workflows documentation.

## Using {% data variables.copilot.copilot_cli_short %} in an Actions workflow

You can define a job in a {% data variables.product.prodname_actions %} workflow that: installs {% data variables.copilot.copilot_cli_short %} on the runner, authenticates it, runs it in programmatic mode, and then handles the results. Programmatic mode is designed for scripts and automation and lets you pass a prompt non-interactively.

Workflows can follow this pattern:

1. **Trigger**: Start the workflow on a schedule, in response to repository events, or manually.
1. **Setup**: Checkout code, set up environment.
1. **Install**: Install {% data variables.copilot.copilot_cli %} on the runner.
Expand Down Expand Up @@ -118,14 +125,19 @@ In this example, the workflow installs {% data variables.copilot.copilot_cli %}

## Authenticate

To allow {% data variables.copilot.copilot_cli_short %} to run on an Actions runner, you need to authenticate a {% data variables.product.github %} user account with a valid {% data variables.product.prodname_copilot_short %} license.
To allow {% data variables.copilot.copilot_cli_short %} to run on an Actions runner, you need to provide authentication credentials. There are two options:

* **Using `GITHUB_TOKEN`** (recommended for organization-owned repositories): No PAT or stored secrets required. See [AUTOTITLE](/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions).
* **Using a {% data variables.product.pat_generic %}**: An alternative to `GITHUB_TOKEN`, for example if your organization has not enabled the policy, or if you want usage billed to a specific user's {% data variables.product.prodname_copilot_short %} seat. Follow the steps below.

**Step 1: Create a {% data variables.product.pat_generic %} (PAT) with the "{% data variables.product.prodname_copilot_short %} Requests" permission:**

**Step 1: Create a {% data variables.product.pat_generic %} (PAT) with the "Copilot Requests" permission:**
1. Go to your personal settings for creating a {% data variables.product.pat_v2 %}: [github.com/settings/personal-access-tokens/new](https://github.com/settings/personal-access-tokens/new?ref_product=copilot&ref_type=engagement&ref_style=text).
1. Create a new PAT with the "Copilot Requests" permission.
1. Create a new PAT with the "{% data variables.product.prodname_copilot_short %} Requests" permission.
1. Copy the token value.

**Step 2: Store the PAT as an Actions repository secret:**

1. In your repository, go to **Settings** > **Secrets and variables** > **Actions** and click **New repository secret**.
1. Give the secret a name that you will use in the workflow. In this example we're using `PERSONAL_ACCESS_TOKEN` as the name of the secret.
1. Paste the token value into the "Secret" field and click **Add secret**.
Expand Down
1 change: 1 addition & 0 deletions content/copilot/how-tos/copilot-cli/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ children:
- /automate-copilot-cli
- /customize-copilot
- /administer-copilot-cli-for-your-enterprise
- /use-copilot-cli-in-actions
- /automate-copilot-cli/automate-with-actions
- /automate-copilot-cli/quickstart
- /automate-copilot-cli/run-cli-programmatically
Expand Down
68 changes: 68 additions & 0 deletions content/copilot/how-tos/copilot-cli/use-copilot-cli-in-actions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
---
title: Using Copilot CLI in GitHub Actions with GITHUB_TOKEN
shortTitle: Copilot CLI in Actions
intro: 'Run {% data variables.copilot.copilot_cli_short %} in a {% data variables.product.prodname_actions %} workflow using the built-in `GITHUB_TOKEN`, without a {% data variables.product.pat_generic %}.'
versions:
feature: copilot
contentType: how-tos
allowTitleToDifferFromFilename: true
category:
- Manage Copilot for a team # Copilot discovery page
- Administer Copilot CLI # Copilot CLI bespoke landing page
docsTeamMetrics:
- copilot-cli
---

For background on authentication options and how billing works when running {% data variables.copilot.copilot_cli_short %} in {% data variables.product.prodname_actions %}, see [AUTOTITLE](/copilot/concepts/agents/copilot-cli/copilot-cli-in-github-actions).

## Enabling the policy

For workflows in your organization to use {% data variables.copilot.copilot_cli_short %} with `GITHUB_TOKEN`, the policy must be enabled. This policy is enabled by default for organizations with {% data variables.copilot.copilot_cli_short %} turned on, but you can confirm or change this setting in your organization's policy settings.

1. Navigate to the policy settings for your organization. See [AUTOTITLE](/copilot/how-tos/administer-copilot/manage-for-organization/manage-policies).
1. Under "{% data variables.copilot.copilot_cli_short %}", confirm that **Allow use of {% data variables.copilot.copilot_cli_short %} billed to the organization** is selected.

## Recommended approach: {% data variables.product.github %} Agentic Workflows

For most automation use cases, we recommend using [{% data variables.product.github %} Agentic Workflows](https://github.com/github/gh-aw) rather than invoking `copilot` directly in workflow steps. Agentic workflows use `GITHUB_TOKEN` authentication by default and include additional guardrails suited for automated environments.

For setup instructions, see [Quick Start](https://github.github.com/gh-aw/setup/quick-start/) in the {% data variables.product.github %} Agentic Workflows documentation. Your workflow must also grant the `copilot-requests: write` permission. See [Permissions](https://github.github.com/gh-aw/reference/permissions/) in the {% data variables.product.github %} Agentic Workflows documentation.

## Using {% data variables.copilot.copilot_cli_short %} directly in a workflow

If you need to invoke {% data variables.copilot.copilot_cli_short %} directly in a workflow step, install the CLI with npm.

> [!WARNING]
> Invoking {% data variables.copilot.copilot_cli_short %} directly in workflow steps gives it broad access to your workflow environment. Review your workflow triggers and permissions carefully before using this approach. Workflows triggered by pull requests from forks are particularly at risk.

### Example workflow

```yaml
name: Copilot CLI example
on: [push]

permissions:
contents: read
copilot-requests: write

jobs:
copilot:
runs-on: ubuntu-latest
steps:
- uses: {% data reusables.actions.action-checkout %}
- name: Install Copilot CLI
run: npm install -g @github/copilot
- name: Run Copilot
run: copilot --yolo -p "Summarize the changes in this commit"
env:
GITHUB_TOKEN: ${{ github.token }}
```

Key details about this example:

* The `--yolo` flag suppresses interactive prompts, which is required for non-interactive environments like {% data variables.product.prodname_actions %}.
* The `copilot-requests: write` permission is required for the workflow to make {% data variables.product.prodname_copilot_short %} requests.
* The `GITHUB_TOKEN` provided by {% data variables.product.prodname_actions %} handles authentication automatically, no additional secrets are needed.

> [!NOTE]
> You must be on a recent version of {% data variables.copilot.copilot_cli_short %} to use `GITHUB_TOKEN` authentication. Update with `copilot update`, or reinstall the latest version with `npm install -g @github/copilot`.
33 changes: 0 additions & 33 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 0 additions & 5 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,6 @@
"remark-rehype": "^11.1.2",
"remark-remove-comments": "^1.1.1",
"remark-stringify": "^11.0.0",
"scroll-anchoring": "^0.1.0",
"semver": "^7.7.4",
"sharp": "0.33.5",
"slash": "^5.1.0",
Expand Down Expand Up @@ -288,7 +287,6 @@
"@types/cookie": "0.6.0",
"@types/cookie-parser": "1.4.8",
"@types/eslint-plugin-jsx-a11y": "^6.10.1",
"@types/event-to-promise": "^0.7.5",
"@types/express": "^5.0.6",
"@types/imurmurhash": "^0.1.4",
"@types/js-cookie": "^3.0.6",
Expand All @@ -313,7 +311,6 @@
"eslint-config-prettier": "^10.1.8",
"eslint-import-resolver-typescript": "^4.4.4",
"eslint-plugin-custom-rules": "file:src/eslint-rules",
"eslint-plugin-escompat": "^3.11.4",
"eslint-plugin-eslint-comments": "^3.2.0",
"eslint-plugin-filenames": "^1.3.2",
"eslint-plugin-github": "^6.0.0",
Expand All @@ -323,7 +320,6 @@
"eslint-plugin-no-only-tests": "^3.3.0",
"eslint-plugin-prettier": "^5.5.5",
"eslint-plugin-primer-react": "^9.0.0",
"event-to-promise": "^0.8.0",
"globals": "^17.3.0",
"gpt-tokenizer": "^3.4.0",
"graphql": "^16.12.0",
Expand All @@ -341,7 +337,6 @@
"patch-package": "^8.0.1",
"prettier": "^3.8.1",
"rimraf": "^6.1.3",
"robots-parser": "^3.0.1",
"sass": "^1.97.3",
"start-server-and-test": "^3.0.0",
"unist-util-remove": "^4.0.0",
Expand Down
2 changes: 0 additions & 2 deletions src/content-linter/lib/helpers/liquid-utils.ts
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,6 @@ export function getLiquidTokens(

export const OUTPUT_OPEN = '{%'
export const OUTPUT_CLOSE = '%}'
export const TAG_OPEN = '{{'
export const TAG_CLOSE = '}}'

export const conditionalTags = ['if', 'elseif', 'unless', 'case', 'ifversion']

Expand Down
Loading
Loading